Over the last few years, hackers have set their targets on Internet-connected baby monitors. They have hacked into baby monitors to scream at toddlers, to curse out their parents, and to turn them into spy cams. Key security considerations for home use products can be very different than that for business. Home users must not be presumed to have received any security training. Average home users may be technically incompetent, incapable of understanding product manuals, and reluctant to registering with product manufacturers. Difficult issues are identified based on observations made from reported baby monitor hacks in the past.
Expert advice too hard to follow—Following the most recent high-profile baby monitor hack, various experts have given two dozen or more best practices for home users to follow. Advices such as “set it up so that the configuration screens can only be accessed from your side of the network, either by plugging into one of the LAN (local-area network) ports on the back, or via Wi-Fi” [1], or “it should communicate only with a ‘tier 1’ server or a cloud hosting company, rather than strictly peer-to-peer” [2] are too technically challenging for average home users who are readily overwhelmed by jargons such as LAN vs WAN, or WIFI vs Cloud vs Tier 1.
Intrusion goes unnoticed—All widely available models offer little more than embedded event logs as a means for intrusion detection. Not only are these logs not easily accessible, but their use require analytical skills that is an unrealistic expectation of average home users.
Poor forensic design—Even after a parent obtains an embedded log after discovery of a hack, it still takes tremendous amount of technical skills to perform reverse geolocation lookup based on remote ip addresses in order to locate and report the intruders. It has also been reported the embedded logs get wiped out upon powering off in some models, which adds to the burden on home users who may risk losing all evidence by not following procedures.
Poor industrial design—While reports have always shown a recurring theme of vulnerabilities as a consequence of either actions or inactions of home users [4] [5], researchers have long recognized those actions and inactions as known behavior that better industrial design should be able to compensate for. For example, study has shown reluctance of registering products as an expected behavior of home users [6], and as such security considerations should take into account of home users not performing latest firmware upgrade, perhaps due to failure to register with manufacturers, or due to purchasing via a reseller.
Therefore, it is clear that industrial design for home use products require a different set of security considerations. Home network is assumed to be always vulnerable and never reliably secure, and thus a new solution is needed for securing use of baby monitor at home.